Demma Online Online Booking Privacy Policy

Effective date: July 2025

1) Scope

This Privacy Policy explains how Demma Aesthetics (“we,” “us,” “our”) collects, uses, and protects personal information when you book appointments online through our website, booking widget, or mobile experience (the “Services”). For details on how we handle Protected Health Information (PHI), please see our Notice of Privacy Practices (HIPAA) [link or “available at our office”].

2) Our HIPAA & Security Commitment

We use HIPAA-compliant systems and processes to safeguard PHI and other personal information. We maintain Business Associate Agreements (BAAs) with applicable vendors. Data you provide is secured with administrative, technical, and physical safeguards, including encryption in transit and at rest, role-based access controls, audit logging, and staff training. While no method is 100% secure, we continuously work to protect your information and meet HIPAA Security Rule requirements.

3) Information We Collect

• Contact & Identity: name, email, phone, date of birth.

• Appointment Details: service, provider, date/time, notes.

• Payment (Card on File): tokenized payment method (stored by our PCI-compliant processor); we do not store full card numbers.

• Preferences & Consents: communication preferences, policy acknowledgments.

• Technical Data: IP address, device/browser, cookies/analytics data.

• Optional Health Inputs: limited info you choose to share to help us schedule appropriately. Avoid highly sensitive details in free-text fields.

4) How We Use Your Information

• Schedule/manage appointments; send confirmations, reminders, and updates.

• Enforce scheduling policies (e.g., late-cancel/no-show fees) via card on file.

• Provide support and improve our Services.

• Send marketing with your consent (opt out anytime).

• Maintain security, prevent fraud, and comply with law.

5) Cookies & Analytics

We use cookies and similar technologies to operate and improve the booking experience. Where required, we’ll request consent via a banner. Disabling cookies may limit functionality.

6) Disclosures to Third Parties

We share information with:

• Scheduling/EHR & Messaging Platforms: [Platform Name(s)]

• Payment Processor: tokenized storage and fee processing (PCI-compliant)

• Service Providers: IT/hosting, email/SMS, analytics, security (under confidentiality)

• Legal/Compliance: when required by law or to protect rights/safety
  We do not sell personal information and do not disclose PHI for marketing without appropriate authorization.

7) Card on File & Payments

Cards are stored by our PCI-compliant processor using tokenization. We may charge per our Scheduling Policy (e.g., late-cancel/no-show fees). See our Card on File/Scheduling Policy for details.

8) Text Messaging (SMS) & Email

By providing your contact info and booking online, you consent to transactional messages (confirmations, reminders, updates).
Marketing messages are sent only if you opt in; unsubscribe anytime (reply STOP for SMS). Standard carrier rates apply.

9) Children

Our Services are intended for individuals 16+ (or as required by law). We do not knowingly collect personal information from children below applicable age thresholds without proper consent.

10) Data Retention

We retain booking records as needed to provide Services and meet legal/regulatory requirements, then securely delete or de-identify them.

11) Security

We implement measures aligned with HIPAA Security Rule principles, including encryption in transit and at rest, multi-factor authentication where enabled, least-privilege access, audit trails, backups, and employee training.

12) Your Privacy Rights

Depending on your location, you may request access, correction, deletion, or restriction of certain data, and opt out of marketing. To exercise rights, contact [privacy email]. We may need to verify your identity.

13) Third-Party Links

Our website may link to third-party sites. Their privacy practices are separate; please review their policies.

14) Changes to This Policy

We may update this Privacy Policy periodically. The effective date above reflects the latest version. Material changes will be posted here and, where appropriate, communicated to you.